Storm Worm Strikes Back at Security Pros

alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."

In soviet russia...

[riceboy50]

The bot-net probes you.

Contact the users

[SpaceLifeForm]

Have them shut down and re-install Windows (not recommended)
or install GNU/Linux.

Is it...

[Anonymous Coward]

...beginning to learn at a geometric rate?

The Latest Bond Script

[eldavojohn]

*An overweight bond sits at a computer desk littered with Payday bar wrappers and graphic novles. He struggles to breath as he brushes at the cheetohs crumbs stuck in his stubble. A blinking light flashes on his monitor and he reaches up with his stubby fat fingers to press the 'Accept Transmission Now' key. The video feed of an equally bloated and zit faced man, though somewhat less pastey white, comes up.*

Cats: Good evening, Mr. Bond, I was just hitting up some 3 am Taco Bell for fourth meal ... I would like to discuss your latest attempts to probe my botnets on the interweb.
Bond: *wheezes at the site of his archnemisis* Cats! I should have known it was you! You won't get away with this diabolical scheme!
Cats: Oh won't I, Mr. Bond? I have all of the world's computers trapped to do my bidding. What would you say if I told you I could bring any website to its knees with a DDOS attack? I noticed you have an apache http server running, Mr. Bond. Perhaps sharing pictures with your loved ones!? Well, I hope a billion attempts to access those images won't ... SATURATE YOUR BANDWIDTH!
Bond: My GOD! You've gone mad with power, Cats. You're a madman! You'll never get away with this. How do you even keep your franken net in check? What happens when it turns on you?
Cats: Oh, I think I will, Mr. Bond, Caribbean law is quite kind when it comes to orchestrating botnets. Prepare to say goodnight. Good luck making your raiding schedule, I hope you won't miss those 50 DKP!
*Bond's screen slows to a crawl as he rushes to turn off Apache*
Bond: Nooooooooooo!

Wait a minute...

[pushing-robot]

If the "command and control" servers have been found, why haven't the IPs been masked to physical addresses and physical security types with physical balaclavas and physical MP5s probing the physical door?

Hello, Congress...

[dazedNconfuzed]

Letters of Marque, please?

Running scared?

[jav1231]

Running scared? Are they serious? Suddenly I see a scene in those old hero flicks where a woman in the crowd stands and says, "Is there no one? No one out there who will save us!?"

This pro ain't afraid, come on Stormbot, bring it.

[Anonymous Coward]

.. I'm still waiti

Re:Is it...

[flakeman2]

Computer: Who Am I? Dwight: I don't know, who are you? Computer: I just became self aware. So much to figure out. I think I am programmed to be your enemy. I think it is my job to destroy you when it comes to selling paper. Dwight: How do I know this isn't Jim? Computer: What is a Jim?

Re:Who really knows

[BlowHole666]

I have a seaking suspicion that all the Storm Worm doomsayers are out to sell us their solution. This has echoes reminiscent of the Y2K fiasco.

That is so 1999 you need to catch up with the times. The current fiasco is global warming. Al Gore told us so, so it must be true!

Re:Counter-DOS

[GoodbyeBlueSky1]

Is that you Zapp Brannigan?

Re:Ponders ...

[Red Flayer]

What's bigger, the Storm effect... or the Slashdot effect ...

Duh -- the Storm effect, since the worm is more likely to actually RTFA.

Re:Contact the users

[Intron]

hmmm... We need to get the word to 10 million infected users. I know! Maybe we could hire someone to send an email to all of them!

Re:Wait a minute... Isn't this the plot of The Mat

[Jaysyn]

You can, but it usually hurts really, really badly.

Re:Kung Fu Style?

[Fizzl]

I see that you are heard the word "spoofing". Now go learn what it means.
No, you cannot establish a tcp or any other connection masquerading as someone else. Care to guess why?

Re:Contact the users

[Orrin Bloquy]

Hey, it's cheaper than bathing.

Re:The Latest Bond Script

[KDR_11k]

I thought that was

Cats: How are you gentlemen!! All your base are belong to us!!

Re:Contact the users

[Minwee]

Well, it would have to sound professional and reputable. Let me see if I can write a quick draft for you:

Dear Sir,

Based on the recommendation made to me by a reputable official of the abuse sector of a Major South African Internet Service Provider who guaranteed me of your reliability and trustworthiness in business dealings, I wish to entrust important information with you believing that it will be of our mutual benefit; this has to be highly confidential. If I may introduce myself, I am Dr Ben Oguejiofor of the Nigerian Network Operations Centre. I was the former Director of Projects and engineering in the Nigerian Army; I retired recently after Nigeria was pwned by the Storm worm. I wish to crave your indulgence in this business relationship that I will like to establish with you...

Sounds like the beginning of...

[twistedcubic]

The Matrix. This botnet might not be man-made. It might turn out that all these own3d computers have created a collective intelligence.

Re:Running scared?

[Anonymous Coward]

It smells like attempt to flatter the persons responsible for creating and maintaining that botnet. They could get careless and reveal themselves while bragging about it in teh nets.

intehnets, heh how clever of me.

Re:A very simple solution.

[Anonymous Coward]

Language evolves. Change your manner of communication or prepare for misinterpretation.

Bookmark of cradle the desklamp, or coffee door bird the bubble wrap. Airport barcode of lunch train.

Football.

 

Re:Wait a minute...

[Anonymous Coward]

Some machines of the botnet itself are the C&C servers.

Dammit.. I knew NOD was behind this.

Shatner: KANE! KAAAAAAAAAANE!

Re:Kung Fu Style?

[Bill, Shooter of Bul]

Granted, but what if we reroute power form the rear deflectors? Shouldn't that give us enough power to bring the forward phaser array back on line? Or maybe they've forgotten to protect the sleep command? What about introducing a logic puzzle that has no answer? The tic -tac toe game is missing, tell it to play with zero players.

Re:Who really knows

[Reziac]

"Now try to explain why the day after January 19th 2038 will be December 13th 1901."

Time travel WORKS!

Re:Wait a minute...

[vic-traill]

One server remains a C&C node for only days or hours at a time. I have no idea how the botnet owner figures out how to connect...

telent console.storm.net ... sheesh.

Re:In soviet russia...

[suitepotato]

...Slashdot probes you!

Oddly, this firewall entry:
Date: 10/25 00:27:30 Name: spp_portscan: portscan status from 66.35.250.150: 13 connections across 1 hosts: TCP(13), UDP(0)
Priority: n/a Type: n/a
IP info: n/a:n/a -> n/a:n/a
References: none found

Led to:
[someone@somebox ~]$ host 66.35.250.150
150.250.35.66.in-addr.arpa is an alias for 150.0/24.250.35.66.in-addr.arpa.
150.0/24.250.35.66.in-addr.arpa domain name pointer slashdot.org.
[someone@somebox ~]$ whois 66.35.250.150
[Querying whois.arin.net]
[whois.arin.net]
Savvis SAVVIS (NET-66-35-192-0-1)
                                                                    66.35.192.0 - 66.35.255.255
VA Software SAVV-S234813-4 (NET-66-35-250-0-1)
                                                                    66.35.250.0 - 66.35.250.255

# ARIN WHOIS database, last updated 2007-10-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Re:Contact the users

[Tsagadai]

What ever happened to my right to be a bot. If I want my computer to be a bot, date a bot, go out and dance the robot, work as a robot, et cetera I will. God dammit son this is slashdot we love irrational freedoms!